Title: Remote file upload vulnerability in wpe-indoshipping v2.5.0 wordpress plugin [Previously Discovered] |
Author: Larry W. Cashdollar, @_larry0 |
Date: 2015-07-13 |
CVE-ID:[CVE-none] |
CWE: |
Download Site: https://wordpress.org/plugins/wpe-indoshipping |
Vendor: http://www.balitechy.com/ |
Vendor Notified: 2015-07-13 |
Vendor Contact: ekaputra[at]balitechy.com |
Advisory: |
Description: Indonesian shipping special plugins to integrate with the plugin WP - Ecommerce. The final test at the WP - Ecommerce version 3.8.11.1 With WPE Indoshipping then you can display a list of postage per area in Indonesia that you choose . Suitable to display a list of postage from JNE , TIKI or the other and will directly affect the value of your order . |
Vulnerability: The ./wpe-indoshipping/admin/upload-file.php doesn't validate the users ability to upload files or the type of file being uploaded.
1 <?php
2 $upload_path = $_POST['upload_path'];
3 $filename = $_FILES["uploadfile"]["name"];
4 if (move_uploaded_file($_FILES['uploadfile']['tmp_name'], $upload_path.$filename)) {
5 echo $filename;
6 } else {
7 echo 'error';
8 }
9 ?>
The attacker will need to guess the path to a writeable directory in the web servers root. |
Export: JSON TEXT XML |
Exploit Code:
|
Screen Shots: |
Notes: |
Larry W. Cashdollar
Larry Cashdollar
Larry W. Cashdollar vulnerability
Larry Cashdollar advisory